We’ve written quite a bit about the need for changes to software virtualization licensing terms to uncouple them from the physical hardware and accommodate the dynamic, shared computing environments that virtualization has made possible. Many vendors’ licensing terms remain outdated because they prohibit the movement of workloads or the divvying up of resources.
This counters some of the benefits of moving to a cloud model and adds another snag to a long list of cloud security risks on the minds of CIOs and CISOs.
Michael Daly, deputy CISO and director of IT security services for Raytheon, said that it’s a two-sided security coin: Vendors and SaaS providers want to make sure that you are truly using only the licenses allowed to you by contract, but how do you prove usage in an environment in which usage is fluid?
What it comes down to is validation, said Daly. The vendors want to know that you are not “fibbing” about usage, “but the alternative is that you [give] all these vendors — and you might have hundreds of products in this [virtual/cloud computing environment] — oodles of usage data about every movement your business makes.”
That’s too much information to be giving away, and then some. “It might even not be legitimate for you to be giving it away under some SEC rule, because you might be giving away stock-affecting information about how many customers you have at any given time,” he said.
Daly’s advice to other CISOs and CIOs is to minimize cloud security risk by negotiating a contract that lets you test your hosted environment for vulnerabilities and change simple things such as passwords.
“Get friendly with a lawyer,” he said. “Walk through the contract language to make sure there is flexibility in there, and that you understand what happens financially when you do want to make a change to that environment.”
In our coverage next week, SearchCIO.com will explore how corporate information security practices change when a virtual cloud environment is added to the mix.
In the meantime, here’s more food for thought from experts and CIOs grappling with cloud security risks:
- Are you beholden to the security practices of the cloud provider, or is there room to change the rules to suit your needs?
- If your data is housed on a shared cloud, does it still meet the mandates of certain regulations?
- Do cloud providers need to create more modular environments for their customers to prevent potential data sharing mix ups between customers?
Let us know what you think about the blog post; email Christina Torode, News Director.